Chapter 44 Sun Java System Communications Services

Identity Manager provides the Sun JavaTM System Communications Services
resource adapter to support Sun Java System Messaging Server (Messaging
Server) and the Sun Java System Calendar Server (Calendar Server): These systems
must be implementing LDAP Schema 2. In addition, Sun Java System Directory
Server must be used as the user store.

The Sun Java System Communications Services resource adapter is
defined in the com.waveset.adapter.SunCommunicationsServicesResourceAdapter class.

Adapter Details

This adapter extends the LDAP resource adapter. See the documentation for the LDAP adapter
for information about implementing LDAP-specific features.

The Communications Services adapter provides provisioning services for
standard Directory Server installations. It can also read the replication
changelog of Directory Server and apply those changes to Identity Manager users
or custom workflows.

Resource Configuration Notes

To setup a Sun Java System Directory Server resource for use with the
Communications Services adapter, you must configure the server to enable the
change log and enable tracking of modifier information. This is done from
the directory server configuration tab.

Setting Up a Directory Server Resource for Use with
the Communications Services Adapter

Click on the Replication folder, then select the “Enable
change log” box. For 5.0 and later servers, you must also enable the
RetroChangelog Snapin. On the configuration tab go to the plugin object, select
the Retro change log plugin and enable it.

To verify that the server is configured to maintain special attributes
for newly created or modified entries, in the Directory Server console, click
Configuration > select the root entry in the navigation tree in the left
pane.

Click Settings > verify that the Track Entry Modification Times
box is checked.

The server adds the following attributes to a
newly created or modified entry to determine if an event was initiated from Identity Manager.

creatorsName: The DN of
the person who initially created the entry.

modifiersName: The DN of
the person who last modified the entry.

Identity Manager Installation Notes

No additional installation procedures are required on this resource.

Usage Notes

Service Accounts

Create an Identity Manager service account to connect to Communications
Services, rather than using the administrator account CN=Directory Manager.
Use your Directory Server management tool to set permissions through an ACI
(access control instructions) at each base context.

Set the permissions in the ACI based on the source. If the adapter is
connecting to an authoritative source, then set read, search, and possibly
compare permissions only. If the adapter is used to write back, then you will
need to set write and possibly delete permissions.

Note –

If the account will be used for monitoring the changelog, an ACI
should also be created on cn=changelog. The permissions
should be set to read and search only, because you cannot write or delete
changelog entries.

The sources.ResourceName.hosts property in the waveset.properties file
can be used to control which host or hosts in a cluster will be used to execute
the synchronization portion of an Active Sync resource adapter. ResourceName must be replaced with the name of the Resource object.

Before and After Actions

The Sun Communications Services resource adapter does not perform before
or after actions. Instead, you may use the Action
Proxy Resource Adapter field in the Resource Wizard to designate
a proxy resource adapter that has been configured to run actions.

The following example script could be run on the proxy resource after
creating a user:

SET PATH=c:\Sun\Server-Root\lib
SET SYSTEMROOT=c:\winnt
SET CONFIGROOT=C:/Sun/Server-Root/Config
mboxutil -c -P user/%WSUSER_accountId%.*

The following example script will delete the user’s mailboxes
when the user is deleted.

SET PATH=c:\Sun\Server-Root\lib
SET SYSTEMROOT=c:\winnt
SET CONFIGROOT=C:/Sun/Server-Root/Config
mboxutil -d -P user/%WSUSER_accountId%.*

Security Notes

This section provides information about supported connections
and privilege requirements.

Supported Connections

Identity Manager uses Java Naming and Directory Interface (JNDI) over TCP/IP or SSL to communicate
with the Communications Services adapter.

If you are using TCP/IP, specify port 389 on the Resource
Attributes page.

If you are using SSL, specify port 636.

Required Administrative Privileges

If the value cn=Directory Manager is specified in
the User DN resource parameter, then the Identity Manager administrator has
the necessary permissions to manage accounts. If a different distinguished
name is specified, that user must have the ability to read, write, delete,
and add users.

Provisioning Notes

The following table summarizes the provisioning capabilities of this
adapter.

Feature

Supported?

Enable/disable account

Yes

Rename account

Yes

Pass-through authentication

Yes

Before/after actions

No, but a proxy resource adapter may be specified.

Data loading methods

Import directly from resource

Reconcile with resource

Active Sync

Account Attributes

The syntax (or type)
of an attribute usually determines whether the attribute is supported. In
general, Identity Manager supports Boolean, string, integer, and binary syntaxes.
A binary attribute is an attribute that can be safely expressed only as a
byte array.

The following table lists the supported LDAP syntaxes. Other LDAP syntaxes
might be supported, as long as it is Boolean, string, or integer in nature.
Octet strings are NOT supported.

LDAP Syntax

Attribute Type

Object ID

Audio

Binary

1.3.6.1.4.1.1466.115.121.1.4

Binary

Binary

1.3.6.1.4.1.1466.115.121.1.5

Boolean

Boolean

1.3.6.1.4.1.1466.115.121.1.7

Country String

String

1.3.6.1.4.1.1466.115.121.1.11

DN

String

1.3.6.1.4.1.1466.115.121.1.12

Directory String

String

1.3.6.1.4.1.1466.115.121.1.15

Generalized Time

String

1.3.6.1.4.1.1466.115.121.1.24

IA5 String

String

1.3.6.1.4.1.1466.115.121.1.26

Integer

Int

1.3.6.1.4.1.1466.115.121.1.27

Postal Address

String

1.3.6.1.4.1.1466.115.121.1.41

Printable String

String

1.3.6.1.4.1.1466.115.121.1.44

Telephone Number

String

1.3.6.1.4.1.1466.115.121.1.50

Default Account Attributes

The following attributes are displayed on the Account Attributes page for the Communications
Services resource adapters. All attributes are of type String unless otherwise
noted.

Identity System User Attribute

Resource User Attribute

Description

accountId

uid

User ID

accountId

cn

Required. The user’s full name.

password

userPassword

Encrypted

firstname

givenname

The user’s first (given) name.

lastname

sn

Required. The user’s last name (surname).

email

mail

The user’s fully-qualified email address.

modifyTimeStamp

modifyTimeStamp

Indicates when a user entry was modified.

By default, this attribute is displayed for the Sun Communications Services
adapter only.

objectClass

objectClass

The object class to monitor for changes.

alternateEmail

mailalternateaddress

Alternate email address of this recipient.

mailDeliveryOption

maildeliveryoption

Specifies delivery options for the mail recipient. One or more values
are permitted on a user or group entry, supporting multiple delivery paths
for inbound messages. Values will apply differently depending on whether the
attribute is used in inetMailGroup or inetMailUser.

mailHost

mailhost

The fully qualified host name of the mail transfer agent (MTA) that
is the final destination of messages sent to this recipient.

mailForwardingAddress

mailforwardingaddress

Specifies one or more forwarding addresses for inbound messages.

inetUserStatus

inetuserstatus

Specifies the status of a user’s account with regard to global
server access. The possible values are active, inactive, or deleted.

mailQuota

mailquota

The amount of disk space, in bytes, allowed for the user’s mailbox.

mailAutoReplySubject

mailautoreplysubject

Text to be used as the subject of an auto-reply response.

mailAutoReplyText

mailautoreplytext

Auto-reply text sent to all senders except users in the recipient’s
domain.

mailAutoReplyTextInternal

mailautoreplytextinternal

Auto-reply text sent to senders from the recipients domain.

vacationStartDate

vacationstartdate

Vacation start date and time, in the format YYYYMMDDHHMMSSZ.

vacationEndDate

vacationenddate

Vacation end date and time, in the format YYYYMMDDHHMMSSZ.

mailAutoReplyMode

mailautoreplymode

The autoreply mode for user mail account. The possible values are echo and reply.

Default Supported Object Classes

By default, the Sun Java System Communications Services resource adapter
uses the following object classes when creating new user objects in the LDAP
tree. Other object classes may be added.

top

person

inetUser

organizationalPerson

inetOrgPerson

ipUser

userPresenceProfile

iplanet-am-managed-person

inetMailUser

inetLocalMailRecipient

icscalendaruser

top Object Class

The top object
class must contain the objectClass attribute, which is
present as an account attribute by default. The top object class is extended
by a number of object classes, including the person object
class.

person Object Class

The following table lists additional supported attributes that are defined
in the LDAP person
object class.

Resource User Attribute

LDAP Syntax

Attribute Type

Description

description

Directory string

String

A short informal explanation of special interests of a person

seeAlso

DN

String

A reference to another person.

telephoneNumber

Telephone number

String

Primary telephone number

inetUser Object Class

The inetUser
object class represents a user account, or a resource (defined as any object
to which services are provided) account, and is used in conjunction with inetMailUser and ipUser for creating a mail account.
When creating user accounts, this object class extends the base entry created
by inetOrgPerson.

The following table lists additional supported attributes that are defined
in the inetUser object class.

Resource User Attribute

LDAP Syntax

Attribute Type

Description

inetUserStatus

Directory string

String

Specifies the status of a user’s account with regard to global
server access. The possible values are active, inactive, and deleted.

organizationalPerson Object Class

The following table lists additional supported attributes that are defined
in the LDAP Organizationalperson object class. This object class can also
inherit attributes from the Person object class.

Resource User Attribute

LDAP Syntax

Attribute Type

Description

destinationIndicator

Printable string

String

This attribute is used for the telegram service.

facsimileTelephoneNumber

Facsimile telephone number

String

The primary fax number.

internationaliSDNNumber

Numeric string

String

Specifies an International ISDN number associated with an object.

l

Directory string

String

The name of a locality, such as a city, county or other geographic region

ou

Directory string

String

The name of an organizational unit

physicalDeliveryOfficeName

Directory string

String

The office where deliveries are routed to.

postalAddress

Postal address

String

The office location in the user’s place of business.

postalCode

Directory string

String

The postal or zip code for mail delivery.

postOfficeBox

Directory string

String

The P.O. Box number for this object.

preferredDeliveryMethod

Delivery method

String

The preferred way to deliver to addressee

registeredAddress

Postal Address

String

A postal address suitable for reception of telegrams or expedited documents,
where it is necessary to have the recipient accept delivery.

st

Directory string

String

State or province name.

street

Directory string

String

The street portion of the postal address.

teletexTerminalIdentifier

Teletex Terminal Identifier

String

The teletex terminal identifier for a teletex terminal associated with
an object

telexNumber

Telex Number

String

The telex number in the international notation

title

Directory string

String

Contains the user’s job title. This property is commonly used
to indicate the formal job title, such as Senior Programmer, rather than occupational
class, such as programmer. It is not typically used for suffix titles such
as Esq. or DDS.

x121Address

Numeric string

String

The X.121 address for an object.

inetOrgPerson Object Class

The following table lists additional supported attributes that are defined
in the LDAP inetOrgPerson
object class. This object class can also inherit attributes from the organizationalPerson
object class.

Resource User Attribute

LDAP Syntax

Attribute Type

Description

audio

Audio

Binary

An audio file.

businessCategory

Directory string

String

The kind of business performed by an organization.

carLicense

Directory string

String

Vehicle license or registration plate

departmentNumber

Directory string

String

Identifies a department within an organization

displayName

Directory string

String

Preferred name of a person to be used when displaying entries

employeeNumber

Directory string

String

Numerically identifies an employee within an organization

employeeType

Directory string

String

Type of employment, such as Employee or Contractor

homePhone

Telephone number

String

The user’s home telephone number.

homePostalAddress

Postal address

String

The user’s home address.

initials

Directory string

String

Initials for parts of the user’s full name

jpegPhoto

JPEG

Binary

An image in JPEG format.

labeledURI

Directory string

String

A Universal Resource Indicator (URI) and optional label associated with
the user.

mail

IA5 string

String

One or more email addresses.

manager

DN

String

Directory name of the user’s manager.

mobile

Telephone number

String

The user’s cell phone number.

o

Directory string

String

The name of an organization.

pager

Telephone number

String

The user’s pager number.

preferredLanguage

Directory string

String

Preferred written or spoken language for a person.

roomNumber

Directory string

String

The user’s office or room number.

secretary

DN

String

Directory name of the user’s administrative assistant.

userCertificate

certificate

Binary

A certificate, in binary format.

ipUser

The ipUser
object class holds the reference to the personal address book container and
the class of service specifier.

The following table lists additional supported attributes that are defined
in the ipUser object class.

Resource User Attribute

Syntax

Attribute Type

Description

inetCoS

String, multi-valued

String

Specifies the name of the Class of Service (CoS) template supplying
values for attributes in the user entry.

memberOfPAB

String, multi-valued

String

The unique name of the personal address book(s) in which this entry
belongs.

maxPabEntries

Integer, single-valued

Integer

The maximum number of personal address book entries users are permitted
to have in their personal address book store.

pabURI

String, single valued

String

LDAP URI specifying the container of the personal address book entries
for this user.

userPresenceProfile

The userPresenceProfile object class stores the presence information
for a user.

This object class may contain the vacationStartDate and vacationEndDate attribute, which are present as account attributes
by default.

iplanet-am-managed-person

The following table lists additional supported attributes that are defined
in the ipUser object class.

Resource User Attribute

Syntax

Attribute Type

Description

iplanet-am-modifiable-by

DN, multi-valued

String

The role-dn of the administrator who has access rights to modify the
user entry.

iplanet-am-role-aci-description

String, multi-valued

String

Description of the ACI that belongs to the role.

iplanet-am-static-group-dn

DN, multi-valued

String

Defines the DNs for the static groups the user belongs to.

iplanet-am-user-account-life

Date string, single-valued

String

Specifies the account expiration date in the following format:yyyy/mm/dd
hh:mm:ss

inetMailUser

The inetMailUser
extends the base entry created by inetOrgPerson to define
a messaging service user. It represents a mail account and is used in conjunction
with inetUser and inetLocalMailRecipient.

The following table lists additional supported attributes that are defined
in the inetMailUser object class.

Resource User Attribute

Syntax

Attribute Type

Description

dataSource

String, single-valued

String

Text field to store a tag or identifier.

mailAllowedServiceAccess

String, single-valued

String

Stores access filters (rules).

mailAntiUBEService

String, multi-valued

String

Instructions for a program that handles unsolicited bulk email.

mailAutoReplyTimeOut

Integer, single-valued

Integer

Duration, in hours, for successive auto-reply responses to any given
mail sender.

mailConversionTag

String, multi-valued

String

Method of specifying unique conversion behavior for a user or group
entry.

mailDeferProcessing

String, single-valued

String

Controls whether or not address expansion of the current user or group
entry is performed immediately, or deferred.

mailEquivalentAddress

String, multi-valued

String

Equivalent to mailAlternateAddress in regard to mail routing, except
with this attribute, the header doesn’t get rewritten.

mailMessageStore

String, single-valued

String

Specifies the message store partition name for the user.

mailMsgMaxBlocks

Integer, single-valued

Integer

The size in units of MTA blocks of the largest message that can be sent
to this user or group.

mailMsgQuota

Integer, single-valued

Integer

Maximum number of messages permitted for a user

mailProgramDeliveryInfo

String, multi-valued

String

Specifies one or more programs used for program delivery.

mailSieveRuleSource

String, multi-valued

String

Contains a SIEVE rule (RFC 3028 compliant) used to create a message
filter script for a user entry.

mailSMTPSubmitChannel

String, single-valued

String

This attribute is a factor involved in setting up guaranteed message
delivery, or in setting up other special classes of service.

mailUserStatus

String, single-valued

String

Current status of the mail user. Can be one of the following values:
active, inactive, deleted, hold, overquota, or removed.

nswmExtendedUserPrefs

String, multi-valued

String

Holds the pairs that define Messenger Express preferences, such as sort
order and Mail From address.

inetLocalMailRecipient

The inetLocalMailRecipient object class stores information that provides
a way to designate an LDAP entry as one that represents a local email recipient,
to specify the recipient’s email addresses, and to provide routing information
pertinent to the recipient.

The following table lists additional supported attributes that are defined
in the inetLocalMailReceipient object class. (All other attributes in this
object class are present as account attributes by default.)

Resource User Attribute

LDAP Syntax

Attribute Type

Description

mailRoutingAddress

String, single-valued

String

Used together with mailHost to determine whether
or not the address should be acted upon at this time or forwarded to another
system.

icsCalendarUser

The icsCalendarUser
object class defines a Calendar Server user.

The following table lists additional supported attributes that are defined
in the icsCalendarUser object class. (All other attributes in this object
class are present as account attributes by default.)

Resource User Attribute

LDAP Syntax

Attribute Type

Description

icsAllowedServiceAccess

String, single-valued

String

Disallows calendar services to a user.

icsCalendar

String, single-valued

String

The calendar ID (calid) of the default calendar for a user or resource.
Required attribute for Calendar Manager.

icsCalendarOwned

String, multi-valued

String

Calendars owned by this user.

icsDWPHost

String, single-valued

String

Stores a Database Wire Protocol (DWP) host name so that the calendar
ID can be resolved to the DWP server that stores the calendar and its data.

icsExtendedUserPrefs

String, multi-valued

String

Extensions for calendar user preferences.

icsFirstDay

String, single-valued

Integer

First day of the week to be displayed on user’s calendar.

icsSet

String, multi-valued

String

Defines one group of calendars. The value for this attribute is a six-part
string, with each part separated by a dollar sign ($).

icsStatus

String, single-valued

String

This attribute must be set when assigning calendar services to a domain.
The possible values are active, inactive,
and deleted.

icsSubscribed

String, multi-valued

String

List of calendars to which this user is subscribed.

icsTimezone

String

String

The default time zone for this user or resource calendar if one is not
explicitly assigned through their own user preferences.

preferredLanguage

String, single-valued

String

Preferred written or spoken language for a person.

Resource Object Management

Identity Manager supports the following LDAP objects by default. Any
string-, integer-, or Boolean-based attributes can also be managed.